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Security Layer (TLS) protocol to support the Camellia encryption 
algorithm as a block cipher. 
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1. Introduction 


The Camellia cipher suites are already specified in RFC 5932 [15] 
with SHA-256-based Hashed Message Authentication Code (HMAC) using 
asymmetric key encryption. This document proposes the addition of 
new cipher suites to the Transport Layer Security (TLS) [8] protocol 
to support the Camellia [4] cipher algorithm as a block cipher 
algorithm. The proposed cipher suites include variants using the 
SHA-2 family of cryptographic hash functions [13] and Galois Counter 
Mode (GCM) [14]. Elliptic curve cipher suites and pre-shared key 
(PSK) [5] cipher suites are also included. 


1.1. Terminology 
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", “SHALL NOT", 


"SHOULD", “SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this 
document are to be interpreted as described in RFC 2119 [3]. 
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2. Proposed Cipher Suites 
2.1. HMAC-Based Cipher Suites 


The eight cipher suites use Camellia [4] in Cipher Block Chaining 
(CBC) [4] mode with a SHA-2 family HMAC using the elliptic curve 


cryptosystem: 
CipherSuite TLS_ECDHE_ECDSA_WITH_CAMELLIA_ 128 CBC_SHA256 = {0xC0, 0x72}; 
CipherSuite TLS_ECDHE_ECDSA_WITH_CAMELLIA_ 256_CBC_SHA384 = {0xC0, 0x73}; 
CipherSuite TLS_ECDH_ECDSA_WITH_CAMELLIA_128_CBC_SHA256 = {0xC0, 0x74}; 
CipherSuite TLS_ECDH_ECDSA_WITH_CAMELLIA 256 _CBC_SHA384 = {0xC0, 0x75}; 
CipherSuite TLS_ECDHE_RSA_WITH_CAMELLIA_128_CBC_SHA256 = {0xC0, 0x76}; 
CipherSuite TLS_ECDHE_RSA_WITH_CAMELLIA_ 256 _CBC_SHA384 = {0xC0, 0x77}; 
CipherSuite TLS_ECDH_RSA_WITH_CAMELLIA_128_CBC_SHA256 = {0xC0, 0x78}; 
CipherSuite TLS_ECDH_RSA_WITH_CAMELLIA_256_CBC_SHA384 = {0xC0, 0x79}; 


2.2. GCM-Based Cipher Suites 


The twenty cipher suites use the same asymmetric key algorithms as 
those in the previous section but use the authenticated encryption 
modes defined in TLS 1.2 [8] with Camellia in GCM [14]. 


CipherSuite TLS_RSA_WITH_CAMELLIA_128_GCM_SHA256 = {0xC0, 0x7A}; 
CipherSuite TLS_RSA_WITH_CAMELLIA_256_GCM_SHA384 = {0xC0, 0x7B}; 
CipherSuite TLS_DHE_RSA WITH CAMELLIA 128 GCM_SHA256 = {0xC0O,0x7C}; 
CipherSuite TLS_DHE_RSA WITH CAMELLIA _256_GCM_SHA384 = {0xC0O,0x7D}; 
CipherSuite TLS_DH_RSA_WITH_CAMELLIA_128 GCM_SHA256 = {0xC0O,0x7E}; 
CipherSuite TLS_DH_RSA_WITH_ CAMELLIA _256_GCM_SHA384 = {0xC0O,0x7F}; 
CipherSuite TLS_DHE_DSS_WITH_ CAMELLIA _ 128 _GCM_SHA256 = {0xC0, 0x80}; 
CipherSuite TLS_DHE_DSS_WITH_CAMELLIA_256_GCM_SHA384 = {0xC0, 0x81}; 
CipherSuite TLS_DH_DSS_WITH_CAMELLIA_128 GCM_SHA256 = {0xC0, 0x82}; 
CipherSuite TLS_DH_DSS_WITH_CAMELLIA_ 256_GCM_SHA384 = {0xC0, 0x83}; 
CipherSuite TLS_DH_anon_WITH_CAMELLIA_128_GCM_SHA256 = {0xC0, 0x84}; 
CipherSuite TLS_DH_anon_WITH_CAMELLIA_256_GCM_SHA384 = {0xC0, 0x85}; 
CipherSuite TLS_ECDHE_ECDSA_WITH_CAMELLIA_128_GCM_SHA256 = {0xC0, 0x86}; 
CipherSuite TLS_ECDHE_ECDSA_WITH_CAMELLIA_256_GCM_SHA384 = {0xC0, 0x87}; 
CipherSuite TLS_ECDH_ECDSA_WITH_CAMELLIA_128_GCM_SHA256 = {0xC0, 0x88}; 
CipherSuite TLS_ECDH_ECDSA_WITH_CAMELLIA 256_GCM_SHA384 = {0xC0, 0x89}; 
CipherSuite TLS_ECDHE_RSA_WITH_CAMELLIA_ _128_GCM_SHA256 = {0xC0, 0x8A}; 
CipherSuite TLS_ECDHE_RSA_WITH_CAMELLIA_256_GCM_SHA384 = {0xC0, 0x8B}; 
CipherSuite TLS_ECDH_RSA_WITH_CAMELLIA 128_GCM_SHA256 = {0xC0,0x8C}; 
CipherSuite TLS_ECDH_RSA_WITH_CAMELLIA_256_GCM_SHA384 = {0xC0O,0x8D}; 
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3. PSK-Based Cipher Suites 


The fourteen cipher suites describe PSK cipher suites. 
cipher suites use Camellia with GCM, 
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The first six 
and the next eight cipher suites 


use Camellia with SHA-2 family HMAC using asymmetric key encryption 
or the elliptic curve cryptosystem. 


CipherSuite 
CipherSuite 
CipherSuite 
CipherSuite 
CipherSuite 
CipherSuite 
CipherSuite 
CipherSuite 
CipherSuite 
CipherSuite 
CipherSuite 
CipherSuite 
CipherSuite 
CipherSuite 


TLS_PSK_WITH_CAMELLIA_128_GCM_SHA256 
TLS_PSK_WITH_CAMELLIA_256_GCM_SHA384 


TLS 
TLS 
TLS 
TLS 


TLS_PSK_WITH_CAMELLIA_128_CBC_SHA256 
TLS_PSK_WITH_CAMELLIA_256_CBC_SHA384 


TLS 
TLS 
TLS 
TLS 
TLS 
TLS 


DHE_PSK_WIT 


CAMELLIA_128_GCM_SH 


DHE_PSK_WITH 


CAMELLIA _256_GCM_SH 


RSA_PSK_WIT 


CAMELLIA_128_GCM_SH 


RSA_PSK_WIT 


CAMELLIA_256_GCM_SH 


DHE_PSK_WIT 


CAMELLIA_128_CBC_SH 


DHE_PSK_WITH 


CAMELLIA_256_CBC_SH 


RSA_PSK_WITH 


CAMELLIA_128_CBC_SH 


RSA_PSK_WIT 


CAMELLIA_256_CBC_SH 


ECDHE_PSK_WITH_CAMELLIA_128_CBC_SHA256 


ECDHE_PSK_WITH_CAMELLIA_256_CBC_SHA384 


Cipher Suite Definitions 


1. Key Exchange 


The RSA, DHE_RSA, DH_RSA, DHE_DSS, 


DH_DSS, 


A256 
A384 
A256 
A384 


A256 
A384 
A256 
A384 


key exchanges are performed as defined in RFC 5246 


-2. Cipher 


ECDH, DH_anon, 


{0xC0, 0x8D}; 
{0xC0, 0x8F}; 
{0xC0, 0x90}; 
{0xC0, 0x91}; 
{0xC0, 0x92}; 
{0xC0, 0x93}; 
{0xC0, 0x94}; 
{0xC0, 0x95}; 
{0xC0, 0x96}; 
{0xC0, 0x97}; 
{0xC0, 0x98}; 
{0xC0, 0x99}; 
{0xC0, 0x9A}; 
{0xC0, 0x9B}; 


and ECDHE 


This document describes cipher suites based on Camellia cipher using 


CBC mode and GCM. 


The details are as follows. 


The CAMELLIA _128_CBC cipher suites use Camellia [4] 
a 128-bit key and 128-bit Initialization Vector 
CAMELLIA_256_CBC cipher suites use a 256-bit key and 128-bit IV. 


Advanced 


Encryption Standard 


additional data algorithms, 
are described in RFC 5116 


described in RFC 5288 


[9]. 


EZI: 


(AES) [19] 


(IV); 


in CBC mode with 
the 


authenticated encryption with 


AEAD_AES_128_GCM and AEAD_AES_256_GCM, 


AES GCM cipher suites for TLS are 
AES and Camellia share common 
characteristics including key sizes and block length. 


CAMELLIA_128_ GCM and CAMELLIA _256_GCM are defined according to those 


of AES. 
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3.3. “PRES 


The hash algorithms and pseudorandom function (PRF) 
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algorithms for 


TLS 1.2 [8] SHALL be as follows: 

a. The cipher suites ending with _SHA256 use HMAC-SHA-256 [1] as the 
MAC algorithm. The PRF is the TLS PRF [8] with SHA-256 [13] as 
the hash function. 

b. The cipher suites ending with _SHA384 use HMAC-SHA-384 [1] as the 
MAC algorithm. The PRF is the TLS PRF [8] with SHA-384 [13] as 
the hash function. 


When used with TLS versions prior to 1.2 (TLS 1.0 [2] 
[6]), 
of the TLS specification. 

3.4. PSK Cipher Suites 

PSK cipher suites for TLS are described in RFC 5487 


256/384 and RFC 5489 [12] as to ECDHE_PSK. 
4. Security Considerations 


At the time of writing this document, 
for Camellia. Additionally, 
been found (see NESSIE [16], CRYPTREC [17], 

The security considerations in previous RFCs 


[10], and RFC 5487 [11]) 


5. IANA Considerations 


(RFC 5116 
apply to this document as well. 


[11] 


[7], 


and TLS 1.1 
the PRF is calculated as specified in the appropriate version 


as to SHA- 


there are no known weak keys 
no security problems with Camellia have 
and LNCS 5867[18]). 


RFC 5289 


IANA allocated the following numbers in the TLS Cipher Suite 


Registry: 


TLS 
TLS 
TLS 
TLS 
TLS 
TLS 


ECDHE_ECDSA_WITH_CAMELLIA_128_CBC_SHA256 
ECDHE_ECDSA_WITH_CAMELLIA_256_CBC_SHA384 
ECDH_ECDSA_WITH_CAMELLIA_128_CBC_SHA256 
ECDH_ECDSA_WITH_CAMELLIA_256_CBC_SHA384 
ECDHE_RSA_WITH_CAMELLIA_128_CBC_SHA256 
ECDHE_RSA_WITH_CAMELLIA_256_CBC_SHA384 
TLS_ECDH_RSA_WITH_CAMELLIA_128_CBC_SHA256 
TLS_ECDH_RSA_WITH_CAMELLIA_256_CBC_SHA384 
TLS_RSA_WITH_CAMELLIA_128_GCM_SHA256 
TLS_RSA_WITH_CAMELLIA_256_GCM_SHA384 
TLS_DHE_RSA_WITH_CAMELLIA_128_GCM_SHA256 
TLS_DHE_RSA_WITH_CAMELLIA_256_GCM_SHA384 


CipherSuite 
CipherSuite 
CipherSuite 
CipherSuite 
CipherSuite 
CipherSuite 
CipherSuite 
CipherSuite 
CipherSuite 
CipherSuite 
CipherSuite 
CipherSuite 
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{0xC0, 0x79}; 
{0xC0, 0x7A}; 
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{0xC0, 0x7C}; 
{0xC0, 0x7D}; 
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TLS 
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H_RSA_WITH_CAMELLIA_128_GCM_SHA256 


TLS 


H_RSA_WITH_CAMELLIA_256_GCM_SHA384 


TLS 


HE_DSS_WITH_CAMELLIA_128_GCM_SHA256 


TLS 


TLS 


H_DSS_WITH_CAMELLIA_128_GCM_SHA256 


TLS 


H_DSS_WITH_CAMELLIA_256_GCM_SHA384 


TLS 


D 
D 
D 
DHE_DSS_WITH_CAMELLIA_256_GCM_SHA384 
D 
D 
D 


H_anon_WITH_CAMELLIA_128_GCM_SHA256 


TLS 


1_anon_WITH_CAMELLIA_256_GCM_SHA384 


TLS 


ECDHE_ECDSA_WITH_CAMELLIA_128_GCM_SHA256 


TLS 


ECDHE_ECDSA_WITH_CAMELLIA_256_GCM_SHA384 


TLS 


1_ECDSA_WITH_CAMELLIA_128_GCM_SHA256 


TLS 


1_ECDSA_WITH_CAMELLIA_256_GCM_SHA384 


TLS 


ECDHE_RSA_WITH_CAMELLIA_128_GCM_SHA256 


TLS 


ECDHE_RSA_WITH_CAMELLIA_256_GCM_SHA384 


TLS 


RSA_WITH_CAMELLIA_128_GCM_SHA256 


TLS 


1_RSA_WITH_CAMELLIA_256_GCM_SHA384 


TLS 
TLS 
TLS 


PSK_WITH_CAMELLIA 128_GCM_SHA256 
PSK_WITH_CAMELLIA_256_GCM_SHA384 
DHE_PSK_WITH_CAMELLIA_128_GCM_SHA256 


TLS 


DHE_PSK_WITH_CAMELLIA_256_GCM_SHA384 


TLS 


RSA_PSK_WITH_CAMELLIA_128_GCM_SHA256 


TLS 


RSA_PSK_WITH_CAMELLIA_256_GCM_SHA384 


TLS 
TLS 
TLS 


PSK_WITH_CAMELLIA 128_CBC_SHA256 
PSK_WITH_CAMELLIA_256_CBC_SHA384 
DHE_PSK_WITH_CAMELLIA_128_CBC_SHA256 


TLS 


DHE_PSK_WITH_CAMELLIA_256_CBC_SHA384 


TLS 


RSA_PSK_WITH_CAMELLIA_128_CBC_SHA256 


TLS 


RSA_PSK_WITH_CAMELLIA_256_CBC_SHA384 


TLS 


ECDHE_PSK_WITH_CAMELLIA_128_CBC_SHA256 


TLS 


ECDHE_PSK_WITH_CAMELLIA_256_CBC_SHA384 
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